Security Experts:

Connect with us

Hi, what are you looking for?



Details Published on AWS Flaws Leading to Data Leaks

Researchers at cloud security startup Orca Security have publicly documented a pair of vulnerabilities in AWS CloudFormation and AWS Glue that attackers could use to leak sensitive files or access other customers’ data.

Researchers at cloud security startup Orca Security have publicly documented a pair of vulnerabilities in AWS CloudFormation and AWS Glue that attackers could use to leak sensitive files or access other customers’ data.

The first of the security flaws is described as an XML External Entity (XXE) error that could have been exploited to leak sensitive files stored in the CloudFormation service, as well as to disclose credentials for internal AWS infrastructure services.

CloudFormation is a service that helps users provision AWS resources using templates and to create and configure resources dynamically using API calls.

The XXE vulnerability could have allowed attackers to read files and perform HTTP requests on behalf of a compromised CloudFormation server, according to an advisory from Orca Security.

 [ READ: Remote Code Execution Vulnerability Found in AWS WorkSpaces ]

The host contained multiple AWS service binaries and various configuration files and an attacker could have leveraged the data (including credentials for internal endpoints) to bypass tenant boundaries and gain privileged access to any resource in AWS, the company warned.

The vulnerability was addressed on September 15, 2021, one week after Orca Security reported it to the AWS security response team.

Impacting the AWS Glue service, the second vulnerability could have been used to create resources and access the data belonging to other AWS Glue customers. The exploitation process, however, was complex and required multiple steps.

[ READ: Amazon Sidewalk Mesh Network Raises Security, Privacy Concerns ]

The issue could allow an attacker to obtain credentials providing them with full access to internal service API, and then leverage an internal misconfiguration in AWS Glue – a service helping users easily discover and combine data for analytics, application creation, and machine learning – to gain “unrestricted access to all resources for the service in the region, including full administrative privileges,” Orca Security explained.

Successful exploitation of the bug could have allowed an attacker to assume roles in AWS customer accounts trusted by the Glue service, and query and modify AWS Glue service-related resources.

“We are aware of an issue related to AWS Glue ETL and AWS CloudFormation and can confirm that no AWS customer accounts or data were affected. Upon learning of this matter from Orca Security, we took immediate action to mitigate it within hours and have added additional controls to the services to prevent any recurrence,” and AWS spokesperson told SecurityWeek in an emailed response to this article.

*Updated with comment from AWS

Related: Remote Code Execution Vulnerability Found in AWS WorkSpaces

Related: Amazon to Offer Free Cybersecurity Training Materials, MFA Devices

Related: Amazon Sidewalk Mesh Network Raises Security, Privacy Concerns

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.